Ink 工作區 - 禁止使用者存取 Ink 工作區。Ink Workspace - Block users from accessing the ink workspace.未設定此設定時，會啟用 Ink 工作區 (功能已開啟)，並允許使用者在鎖定螢幕上使用它。When this setting is not configured, the ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.

登入失敗幾次後即抹除裝置 - 若為執行 Windows 10 的裝置︰如果裝置已啟用 BitLocker，將會在登入失敗達您所指定的次數時置於 BitLocker 復原模式。Number of sign-in failures before wiping device - For devices running Windows 10: If the device has BitLocker enabled, it's put into BitLocker recovery mode after sign-in fails the number of times that you specified.如果裝置未啟用 BitLocker，便不會套用此設定。If the device is not BitLocker enabled, then this setting doesn't apply.若為執行 Windows 10 行動裝置版的裝置︰登入失敗達您所指定的次數時，就會抹除裝置。For devices running Windows 10 Mobile: After sign-in fails the number of times you specify, the device is wiped.

沒有活動最久幾分鐘後鎖定螢幕指定裝置必須處於閒置狀態多久的時間，才會鎖住螢幕。Maximum minutes of inactivity until screen locks - Specifies the length of time a device must be idle before the screen is locked.

密碼到期 (天) - 指定在多久之後必須變更該裝置的密碼。Password expiration (days) - Specifies the length of time after which the device password must be changed.

避免重複使用以前用過的密碼 - 指定裝置記憶先前使用過的密碼數目。Prevent reuse of previous passwords - Specifies the number of previously used passwords that are remembered by the device.

簡單密碼 - 可讓您使用 1111 和 1234 等簡單密碼。Simple passwords – Lets you allow the use of simple passwords like 1111 and 1234.這項設定也會允許或封鎖使用 Windows 圖片密碼。This setting also allows or blocks the use of Windows picture passwords.

發佈使用者活動：設定此項以封鎖防止共用體驗以及在工作切換器中探索最近使用的資源。Publish user activities: Set this to Block to prevent shared experiences and discovery of recently used resources in the task switcher.

僅限本機活動：設定此項以封鎖防止共用體驗，以及僅根據本機活動，在工作切換器中探索最近使用的資源。Local activities only: Set this to Block to prevent shared experiences and discovery of recently used resources in task switcher based only on local activity.

您可以定義可供裝置上所有應用程式存取的資訊。You can define information that all apps on the device can access.您可以使用個別應用程式隱私權例外狀況來定義以個別應用程式為基礎的例外。You can define exceptions on a per-app basis using Per-app privacy exceptions.

無線電 - 有些應用程式會在您的裝置上使用無線電波 (例如，藍牙) 來傳送及接收資料，因此必須開啟或關閉這些無線電波。Radios - Some apps use radios (for example, Bluetooth) in your device to send and receive data and need to turn these radios on or off.定義此應用程式能否控制這些無線電波。Define whether this app can control these radios.

與裝置同步 - 定義此應用程式能否自動與未和此電腦、平板電腦或手機直接配對的無線裝置共用及同步資訊。Sync with devices -Define whether this app can automatically share and sync info with wireless devices that don't explicitly pair with this PC, tablet, or phone.

個別應用程式的隱私權例外狀況Per-app privacy exceptions

您可以新增隱私權行為應該與您在「預設原則」中所定義之隱私權行為不同的應用程式。You can add apps that should have a different privacy behavior from what you defined in “Default privacy”.

無線電 - 有些應用程式會在您的裝置上使用無線電波 (例如，藍牙) 來傳送及接收資料，因此必須開啟或關閉這些無線電波。Radios - Some apps use radios (for example, Bluetooth) in your device to send and receive data and need to turn these radios on or off.定義此應用程式能否控制這些無線電波。Define whether this app can control these radios.

與裝置同步 - 定義此應用程式能否自動與未和此電腦、平板電腦或手機直接配對的無線裝置共用及同步資訊。Sync with devices -Define whether this app can automatically share and sync info with wireless devices that don't explicitly pair with this PC, tablet, or phone.

首頁 - 新增要作為 Edge 瀏覽器首頁使用的網站清單 (僅限桌面版)。Homepages - Add a list of sites that you want to use as home pages in the Edge browser (desktop only).

起始畫面的變更 – 可讓使用者變更 Edge 開啟時顯示的起始畫面。Changes to start page – Lets users change the start pages displayed when Edge is opened.若要建立 Edge 啟動時開啟的網頁或網頁清單，請使用 [首頁] 設定。Use the Homepages setting to create the page, or list of pages that is opened when Edge starts.

禁止存取 About 旗標 - 防止使用者存取 Edge 中包含開發人員和實驗性設定的 about:flags 頁面。Block access to About flags - Prevent the end user from accessing the about:flags page in Edge that contains developer and experimental settings.

連線的裝置服務 – 可讓您選擇是否要允許連線的裝置服務，這可探索其他藍芽裝置並連線到其中。Connected devices service – Lets you choose whether to allow the connected devices service, which enables discovery and connection to other Bluetooth devices.

NFC - 讓使用者可在裝置上啟用及設定近距離無線通訊功能。NFC - Lets the user enable and configure Near Field Communications capabilities on the device.

顯示Display

開啟應用程式的 GDI 調整功能Turn on GDI scaling for apps

關閉應用程式的 GDI 調整功能Turn off GDI scaling for apps

GDI DPI 縮放比例會讓非 DPI 感知的應用程式變成個別監視器 DPI 感知。GDI DPI Scaling lets apps that are not DPI aware to become per-monitor DPI aware.請指定會開啟 GDI DPI 縮放比例的舊版應用程式。Specify the legacy apps that have GDI DPI Scaling turned on.應用程式上的 GDI DPI 縮放比例若同時設為開啟和關閉，該應用程式的縮放比例功能就會關閉。With GDI DPI Scaling configured to both turn on and turn off on an app, scaling is turned off for the app.

Kiosk (預覽)Kiosk (Preview)

Kiosk 裝置通常執行一個應用程式，或一組特定的應用程式。A kiosk device typically runs one app, or a specific set of apps.使用者無法存取裝置上任何 kiosk 應用程式外的任何功能。Users are prevented from accessing any features or functions on the device outside of any kiosk apps.

單一應用程式 kiosk - 此設定檔可讓裝置只在單一應用程式上執行。Single app kiosk - The profile enables the device to only run one app.當使用者登入時，會啟動特定的應用程式。When the user signs in, a specific app starts.此模式也會限制使用者開啟新的應用程式或變更執行中的應用程式。This mode also restricts the user from opening new apps, or changing the running app.

多應用程式 kiosk - 此設定檔可讓裝置在多個應用程式上執行。Multi-app kiosk - The profile enables the device to run multiple apps.只有您新增的應用程式才可供使用者使用。Only the apps you add are available to the user.多應用程式 kiosk (或固定用途裝置) 的好處是讓個人只存取所需的應用程式，而從其檢視中移除不需要的應用程式，來為個人提供一個簡單明瞭的體驗。The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by only accessing apps they need, and removing from their view the apps they don’t need.

指派的使用者 - 新增一或多個能夠使用您所新增應用程式的使用者帳戶。Assigned users - Add one or more user accounts that can use the apps you add.當該帳戶登入時，只有設定中所定義的應用程式可供使用。When the account signs in, only the apps defined in the configuration are available.帳戶可以是與 kiosk 應用程式建立關聯的裝置本機帳戶或 Azure AD 帳戶登入。The account may be local to the device or an Azure AD account login associated with the kiosk app.

Defender 的使用者存取 - 控制是否對使用者隱藏 Windows Defender 使用者介面。End user access to Defender - Controls whether the Windows Defender user interface is hidden from end users.變更此設定後，要在使用者電腦下次重新啟動時才會生效。When this setting is changed, it takes effect the next time the end user's PC is restarted.

監視檔案與程式活動 - 允許 Defender 監視裝置上的檔案和程式活動。Monitor file and program activity - Allows Defender to monitor file and program activity on devices.

多少天之後刪除隔離的惡意程式碼 - 在您指定的天數內，讓 Defender 繼續追蹤已解決的惡意程式碼，讓您可以手動檢查先前受影響的裝置。Days before deleting quarantined malware - Lets Defender continue to track resolved malware for the number of days you specify so that you can manually check previously affected devices.如果您將此天數設為 0，惡意程式碼會保留在「隔離」資料夾，而且不會自動移除。If you set the number of days to 0, malware remains in the Quarantine folder and is not automatically removed.

雲端保護 - 允許或封鎖 Microsoft Active Protection Service 從您管理的裝置接收惡意程式碼活動的相關資訊。Cloud protection - Allows or blocks the Microsoft Active Protection Service from receiving information about malware activity from devices that you manage.此資訊未來可用於改善本服務。This information is used to improve the service in the future.

對偵測到的惡意程式碼威脅採取的動作 – 啟用此選項，可指定您希望 Defender 針對它偵測到的每種威脅等級 (低、中、高及嚴重) 所採取的動作。Actions on detected malware threats – Enable this option to specify the actions you want Defender to take for each threat level it detects (Low, Moderate, High, and Severe).您可以採取的動作如下：The actions you can take are:

清除Clean

隔離Quarantine

移除Remove

允許Allow

使用者定義User defined

封鎖Block

Windows Defender 防毒軟體排除Windows Defender Antivirus Exclusions

不進行掃描和即時保護的檔案和資料夾 - 將一或多個 C:\Path 或 %ProgramFiles%\Path\filename.exe 等檔案與資料夾，新增至排除清單。Files and folders to exclude from scans and real-time protection - Adds one or more files and folders like C:\Path or %ProgramFiles%\Path\filename.exe to the exclusions list.任何即時或已排程的掃描都不會包含這些檔案和資料夾。These files and folders aren't included in any real-time or scheduled scans.

不進行掃描和即時保護的副檔名 - 新增一或多個檔案副檔名，像是 jpg 或 txt 至排除清單中。File extensions to exclude from scans and real-time protection - Add one or more file extensions like jpg or txt to the exclusions list.任何即時掃描或排定的掃描，都不會包含有這些副檔名的任何檔案。Any files with these extensions are not included in any real-time or scheduled scans.

排除不進行掃描和即時保護的程序 - 新增一或多個類型為 .exe、.com 或 .scr 等處理序至排除清單中。Processes to exclude from scans and real-time protection - Add one or more processes of the type .exe, .com, or .scr to the exclusions list.任何即時或已排程的掃描都不會包含這些處理序。These processes are not included in any real-time, or scheduled scans.

Proxy 例外狀況 - 輸入任何不得使用 Proxy 伺服器的 URL。Proxy exceptions - Enter any URLs that must not use the proxy server.請使用分號來分隔每個項目。Use a semicolon to separate each item.

為本機位址略過 Proxy 伺服器 - 如果您不想要針對內部網路上的本機位址使用 Proxy 伺服器，請啟用此選項。Bypass proxy server for local address - If you don't want to use the proxy server for local addresses on your intranet, enable this option.

Windows 焦點Windows Spotlight

Windows 焦點 - 使用此設定可封鎖 Windows 10 裝置上的所有 Windows 焦點功能。Windows Spotlight – Use this setting to block all Windows Spotlight functionality on Windows 10 devices.如果您封鎖這項設定，則無法使用下列設定。If you block this setting, the following settings are not available.

報告和遙測Reporting and Telemetry

指定要用來轉送「已連線使用者體驗與遙測」要求 (使用安全通訊端層 (SSL) 連線) 之 Proxy 伺服器的完整網域名稱 (FQDN) 或 IP 位址。Specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests, using a Secure Sockets Layer (SSL) connection.此設定的格式是伺服器:連接埠。The format for this setting is server:port.若具名 Proxy 失敗，或若啟用此原則時未指定 Proxy，「已連線使用者體驗與遙測」資料不會傳輸且會留在本機裝置上。If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data is not transmitted and remains on the local device.